Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org> wrote:> > How about a new clone option "CLONE_NOSUID"?> > IMO, the clone call ist the wrong place to create namespaces. It should be> deprecated by a mkdir/chdir-like interface.

And the mkdir/chdir interface already exists, see "cd /proc/NNN/root".

There are some small quirks to fix, should we decide that's the way togo. But it's basically there.

File descriptors keep track of the namespace (actually vfsmnt) wherethey were opened. Today, if you pass a directory file descriptor fromone process to another, you're granting access to see the other'snamespace.

That's why /proc/NNN/root works (with small fixes) in much the wayyou'd expect.